G'day all
One of our IT team has a big problem and I'm trying to gather irrefutable evidence to expose it. He is a sabatouer and intermittently causes problems on our network. These range from turning things off or unplugging them (routers, switches, servers) to modyfying settings (deleting DNS entries, enabling DHCP etc.).
I've been unable to catch him red handed so I have the OK to install monitoring/keylogging software on his workstation. I'm looking for a recomendation on a commercial keylogging package. Can anyone suggest something please?

Last edited by clubsprint on Tue Apr 21, 2009 9:22 am; edited 1 time in total

I wouldn't recommend any product or any investigation. Apart from probably being illegal. Your bosses won't like it if you start your own investigation. You need to take remedial work here. I suggest that you (if you are his boss, if not then raise this with their boss), first implement a change control process. If you do this an this person changes something without authorisation then you have something action. Maybe also detail everything which might this person has done wrong and have a meeting with HR and this person and put what looks like to me bad practice on the this persons part.

If was a manager and I find out that someone in IT is running and investigation into someone. I would be scared that if the person IT didn't like me then they might run an investigation into me and you will always find someone to get someone sacked e.g. inappropriate use of phone, email, web, bad mouthing someone in an email. I would also get the investigator sacked.

I am the IT security consultant.
The investigation is being run with managers approval.
A change control process only works ifeveryone does the right thing.
Company policy states that there is no presumption of privacy or user ownership. All IT is owned by the company.
This guy is malicious. He's breaking stuff on purpose. I just have to catch him. Let me worry about the HR touchy feely crap.

Now, has anyone had experience and can recommend a good keyloging/monitoring package?

Don't take this the wrong way but for an IT consultant you trying to find a technical solution to where one is not required. If this guys has already done what you have said then:

1 - He should either be fired for incompetence
2 - HR and the manager should be pulling him up and putting him on notice

Either way, HR should be involved and should not be approving such a shoddy action. I don't know which country your from but I bet its the UK so have you considered if this guys takes the company to an industrial tribunal or even to court? In less that 30 seconds I found 3 pieces of legislation that you are potentially breaking.

Quote:

A change control process only works if everyone does the right thing.

In my experience not adhering to CC was a sackable offense. Does any company document state what the repercussions of not following CC are?

Quote:

Company policy states that there is no presumption of privacy or user ownership

Has someone from legal signed this off???? Because this is not the case.

Article 8 of the Human Rights Act 1998 is the Right to Respect for Privacy and Family Life. If the company is a public authority there is already legal precedence (Copland v. United Kingdom) that collection of data with respect to personal email and telephone usage interferes with the respect of life.

RIP Act 2000

Quote:

Regulation 3 authorises interception of communications for the carrying on of the employers business. Such monitoring must be for one of the specified purposes listed under Regulation 3(1). This interception is only lawful if all reasonable efforts have been made by the employer to inform everyone that uses the telecommunications system that their communications may be intercepted (Regulation 3(2)).

Can you say that there is a policy stating this?

What are you going to do if you do find something? Sounds like you have grounds to bin him off anyway.

Question is do you want to do whats right or what get you paid? As a security professional I would do the right thing.

I am not saying don't do this, but there are other avenues...have you considered them or don't you care?

Not sure how your data center is setup but it sounds like you have loose physical security. I take it you do not have an electronic badge system or video surveillance (at least in and out of the doors to your data center) which you may want to look in to investing as this will give you better control as to who did what and when.

As to changing DNS/DHCP or other directory services, have you setup auditing for that? If you have that will produce a message in the event log when someone makes a change. Obviously you would have to create a policy which forbids using a general account to make any directory service changes.

OK, I'm really not interested in the legal/politics of keylogging. If you work here you have to sign a contract which states that all data etc. belongs to the company. There is no privacy on our systems.

The vandal is part of the IT department so it's quite difficult to get good evidence plus he has extensive physical access, Generic admin accounts etc. I would love to have video survelience but it''s out of budget.

I have gathered what I consider enough evidence through normal logs but manager and HR are not convinced.

I actually like the guy but I cvan't put up with everytime he's unhappy about something a system gets broken.